PHP :: Bug #80602 :: Segfault when using DOMChildNode::before()

Bug #80602	Segfault when using DOMChildNode::before()
Submitted:	2021-01-06 20:34 UTC	Modified:	2022-06-14 17:06 UTC
From:	jules dot bernable at gmail dot com	Assigned:	beberlei (profile)
Status:	Closed	Package:	DOM XML related
PHP Version:	8.0.0	OS:	debian
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	jules dot bernable at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-01-06 20:34 UTC] jules dot bernable at gmail dot com

Description:
------------
When calling DOMChildNode::before() on an element, if one of the parameters is a text node that is the previous sibling of that element, the program segfaults.

Test script:
---------------
<?php declare(strict_types=1);

$doc = new \DOMDocument();
$doc->loadXML('<a>foo<last/></a>');
$target = $doc->documentElement->lastChild;
$target->before('bar', $doc->documentElement->firstChild, 'baz');
echo $doc->saveXML($doc->documentElement);


Expected result:
----------------
<a>barfoobaz<last/></a>

Actual result:
--------------
free(): double free detected in tcache 2
Aborted

Patches

Pull Requests

Pull requests:

Fix bug #80602 (php-src/8729)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-01-06 20:45 UTC] nikic@php.net

-Status: Open +Status: Verified

[2021-01-18 16:05 UTC] nikic@php.net

-Assigned To: +Assigned To: beberlei

[2021-01-18 16:05 UTC] nikic@php.net

I believe this happens because https://github.com/php/php-src/blob/d340be0d3246542c1ae34d632f36510fb1792852/ext/dom/parentnode.c#L184 can free "newNode" according to libxml docs:

> Add a new node to @parent, at the end of the child (or property) list merging adjacent TEXT nodes (in which case @cur is freed)

This seems like rather peculiar behavior, guess that it's necessary to handle text nodes in some other way that does not end up destroying them?

[2021-01-18 16:14 UTC] beberlei@php.net

Confirmed, will take a look asap.

[2021-02-01 22:25 UTC] beberlei@php.net

Confusingly, it segfaults with $target->before('bar', $doc->documentElement->firstChild, 'baz');

but it works with $target->before($doc->documentElement->firstChild, 'baz'); or even $target->before($doc->documentElement->firstChild);

[2022-06-14 17:06 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix bug #80602
On GitHub:  https://github.com/php/php-src/pull/8729
Patch:      https://github.com/php/php-src/pull/8729.patch

[2023-01-25 03:27 UTC] kertzmann8 at gmail dot com

I’ve especially stayed aware of the article and I will get many benefits from it.

[2023-03-30 19:02 UTC] git@php.net

Automatic comment on behalf of NathanFreeman (author) and nielsdos (committer)
Revision: https://github.com/php/php-src/commit/2d6decc14c977159b90e9dcfa0c562c01794c12a
Log: Fix bug #80602: Segfault when using DOMChildNode::before()

[2023-03-30 19:02 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 16:01:33 2024 UTC